How I Accidentally Found Stored XSS On Tokopedia

So, recently I’ve found Stored XSS On Tokopedia. But, I Accidentally Found Them while buy something on tokopedia. And there is it. :

Summary

After found Stored XSS in previous post, and rewarded by Tokopedia, I start looking some Smartphone on tokopedia. And while checkout as usual, then I Have an idea to fill all field with Payload XSS , And then I use XSS Hunter to fill all the field with payload XSS from XSS Hunter. After check out and pay the fee, I start looking XSS Hunter, But no response there. So, I start looking my transaction and see the Invoice. And I got this :

I found my payload in invoice without filtering.

And I look at the invoice and found colomn Catatan Untuk Penjual & Dropshipper  with value of my XSS Payload from xss hunter, But one of them is filtering my Payload. At this Time I Assume If my payload XSS is work on Catatan Untuk Penjual Field, and I must to do is When seller verify my order and send my package. But I Wrong. 

After few days, I notice  if my order has been shipped by seller, and I got the tracking code. After receive notice like this, I start looking my XSS Hunter dashboard. I suprised, because I got response from tokopedia on seller side, So I Assume if my XSS execute on seller side and on Catatan Untuk Penjual parameter.

Got response from seller side on dashboard XSS hunter.

After that, I quickly make report and send it to Tokopedia. With detail if XSS vuln on Catatan Untuk Penjual parameter. In the next day, Tokopedia told me if the report hard to understand , and Ask me to do general alert like previous report. And I starting to try to reproduce it with my own shop, So I can pop up the alert without annoying another person. But, I got confused because no pop up found when I try to reproduce with my recent experience. After re-thinking again, What the problem, my smartphone has arrived, the courier send me the package, and I started to looking the detail from my package And I got suprised because my XSS is pop up on there.

My Payload is execute on there.

Actually, the vuln XSS is not on Catatan Penjual, but on Dropshipper parameter. Iam to dumb because not see the DOM on XSS Hunter, The DOM can help you to see where your XSS is popup their self. After that I started to report again to Tokopedia IT Security Team.

Step To Reproduce :

  1. Buy something
  2. While checkout fill the Dropshipper field with XSS Payload.
  3. Wait the seller to confirm.
  4. XSS will be fired up.
XSS Fired up when seller confirm the order.

Timeline : 

  • Mar 7 : First Report Send
  • Mar 7 : Tokopedia Tim Asked More Information
  • Mar 7 : Detail Report Send
  • Mar 9 : Tokopedia Confirmed the vuln and mark bug as “Medium” Severity
  • Mar 27 : Tokopedia Fix the bug and ask Re-Testing.
  • Mar 27 : I Confirm If bug is fixed from my side.
  • May 2 : Rewarded

Thanks for reading, Happy Hacking!

 

Published by

apapedulimu

Urip Kui Urup

Leave a Reply

Your email address will not be published. Required fields are marked *